Important note: The Board Resolutions are as reported in the Board Meeting Transcripts, Minutes & Resolutions portion of ICANN's website. Only the words contained in the Resolutions themselves represent the official acts of the Board. The explanatory text provided through this database (including the summary, implementation actions, identification of related resolutions, and additional information) is an interpretation or an explanation that has no official authority and does not represent the purpose behind the Board actions, nor does any explanations or interpretations modify or override the Resolutions themselves. Resolutions can only be modified through further act of the ICANN Board.

GNSO Policy Recommendations on Privacy & Proxy Services Accreditation

Resolution of the ICANN Board

Topic:

Board hereby adopts all the final recommendations of the Privacy & Proxy Services Accreditation Issues PDP Working Group

Summary:

The ICANN Board hereby adopts all the final recommendations of the Privacy & Proxy Services Accreditation Issues PDP Working Group, directs the President and CEO, or his authorized designee, to develop and execute an implementation plan

Whereas, on 31 October 2013, the GNSO Council approved the charter for a Working Group to conduct a Policy Development Process that had been requested by the ICANN Board concerning the accreditation by ICANN of privacy and proxy domain name registration service providers, as further described at http://gnso.icann.org/en/drafts/raa-pp-charter-22oct13-en.pdf [PDF, 463 KB].

Whereas, the PDP followed the prescribed PDP steps as stated in the ICANN Bylaws, resulting in a Final Report being delivered to the GNSO Council on 8 December 2015.

Whereas, the GNSO Council reviewed and discussed the final recommendations of the Privacy & Proxy Services Accreditation Issues PDP WG, and adopted the recommendations on 21 January 2016 by a unanimous vote (see http://gnso.icann.org/en/council/resolutions - 201601.)

Whereas, the GNSO Council vote exceeded the required voting threshold (i.e. supermajority) to impose new obligations on ICANN contracted parties.

Whereas, in accordance with the ICANN Bylaws, a public comment period was opened on the approved recommendations to provide the community with a reasonable opportunity to comment on their adoption prior to action by the ICANN Board, and the comments received have been summarized and reported (see https://www.icann.org/en/system/files/files/report-comments-ppsai-recomm... [PDF, 299 KB]).

Whereas, the ICANN Bylaws provide that the Board is to request the GAC's opinion regarding "any policies that are being considered by the Board for adoption that substantially affect the operation of the Internet or third parties, including the imposition of any fees or charges" and "take duly into account any advice timely presented" as a result.

Whereas, in its Marrakech Communiqué issued on 9 March 2016 the GAC advised the ICANN Board that it needed more time to consider potential public policy concerns relating to the adoption of the final PDP recommendations (see https://gacweb.icann.org/download/attachments/28278854/GAC Morocco 55 Communique FINAL.pdf?version=1&modificationDate=1458046221000&api=v2 [PDF, 567 KB]).

Whereas, in its Helsinki Communiqué issued on 30 June 2016 the GAC advised the ICANN Board to direct that the GAC's concerns be effectively addressed to the greatest extent feasible by the Implementation Review Team that is to be convened to implement the adopted recommendations (see https://gacweb.icann.org/display/gacweb/Governmental+Advisory+Committee?... [PDF, 328 KB]).

Resolved (2016.08.09.08), the Board hereby adopts all the final recommendations of the Privacy & Proxy Services Accreditation Issues PDP Working Group, as passed by a unanimous vote of the GNSO Council on 21 January 2016 ("Privacy/Proxy Policy Recommendations").

Resolved (2016.08.09.09), the Board directs the President and CEO, or his authorized designee, to develop and execute an implementation plan, including costs and timelines, for the Privacy/Proxy Policy Recommendations consistent with ICANN Bylaws Annex A and the Implementation Review Team Guidelines & Principles endorsed by the Board on 28 September 2015 (see https://www.icann.org/resources/board-material/resolutions-2015-09-28-en - 2.f), and to continue communication with the community on such work. In the event that policy issues arise in the course of implementation discussions, they should be referred back to the GNSO in accordance with the framework for implementation associated with GNSO policy recommendations, including the Implementation Review Team Guidelines & Principles.

Resolved (2016.08.09.10), the Board acknowledges the GAC's advice from the Helsinki Communiqué regarding the Privacy/Proxy Policy Recommendations. The Board will consider the GAC's advice and provide input to the Implementation Review Team for consideration in implementation planning.

Rationale for Resolution:

Why is the Board addressing the issue now?

In initiating negotiations with the Registrar Stakeholder Group for new form of Registrar Accreditation Agreement (RAA) in October 2011, the ICANN Board also requested an Issue Report from the GNSO that, upon the conclusion of the RAA negotiations, would start a GNSO PDP to address remaining issues not dealt with in the RAA negotiations. In June 2013, the ICANN Board approved a new 2013 RAA, and the topic of accrediting privacy and proxy services was identified as the sole issue to be resolved through a GNSO PDP. This topic had also been noted by the Whois Review Team in its Final Report, published in May 2012, in which the Review Team had highlighted the current lack of clear and consistent rules regarding these services, resulting in unpredictable outcomes for stakeholders. The Review Team thought that appropriate regulation and oversight over such services would address stakeholder needs and concerns, and recommended that ICANN consider an accreditation system. Until the development of an accreditation program, only certain aspects of such services are covered by an interim specification to the 2013 RAA, which is due to expire on 1 January 2017 or the implementation by ICANN of an accreditation program, whichever first occurs.

The GNSO Council approved all the final recommendations from the PDP Working Group's Final Report dated 8 December 2015 at its meeting on 21 January 2016, as well as a Recommendations Report to the Board in February 2016. In accordance with the ICANN Bylaws, a public comment period was opened to facilitate public input on the adoption of the recommendations following which the PDP recommendations were forwarded to the Board for its review. On 15 May 2016, the Board resolved to consider action on the recommendations at the first Board meeting following ICANN56 in Helsinki, Finland, to enable the GAC to provide timely advice on public policy concerns raised by the PDP recommendations, if any. The GAC's advice in its Helsinki Communiqué was for the Board to direct that the GAC's concerns be effectively addressed to the greatest extent possible during the implementation phase of the PDP recommendations.

What is the proposal being considered?

The GNSO's policy recommendations include minimum mandatory requirements for the operation of privacy and proxy services; the maintenance of designated contact points for abuse reporting and the publication of a list of accredited providers; requirements related to the handling of requests for disclosure and/or publication of a customer's contact details by certain third party requesters; conditions regarding the disclosure and publication of such details as well as the refusal to disclose or publish; and principles governing the de-accreditation of service providers. The full list and scope of the final recommendations can be found in Annex A of the GNSO Council's Recommendations Report to the Board (see http://gnso.icann.org/en/drafts/council-board-ppsai-recommendations-09fe... [PDF, 491 KB].

Which stakeholders or others were consulted?

As required by the GNSO's PDP Manual, the Working Group reached out to all GNSO Stakeholder Groups and Constituencies as well as other ICANN Supporting Organizations and Advisory Committees for input during the early phase of the PDP. The Working Group also held open community sessions at all the ICANN Public Meetings that occurred during the life cycle of this PDP. It also sought input on potential implementation issues from ICANN's Registrar Services and Compliance teams. Public comment periods were opened for the Preliminary Issue Report that preceded the PDP, the Working Group's Initial Report, and the GNSO Council's adoption of the Working Group's Final Report. The final recommendations as detailed in the Final Report were completed based on the Working Group's review and analysis of all the public comments and input received in response to its Initial Report.

Following the GAC's advice in its Marrakech Communiqué of 9 March 2016 and the Board's resolution of 15 May 2016, discussions also took place amongst the Board and community on the topic at ICANN56 in Helsinki, Finland.

What concerns or issues were raised by the community?

A significant number of public comments were received by the Working Group concerning the possibility that a distinction might be made between domain name registrants with domains serving non-commercial purposes and registrants who conduct online financial transactions. This had been an open question in the Working Group's Initial Report, as at the time a number of Working Group members had supported that distinction. As a result of further Working Group deliberations following review of the public comments received, the Working Group reached consensus on a recommendation that no such distinction be made for purposes of accrediting services.

Concerns had also been expressed over the need to ensure that there are adequate safeguards in place for maintaining the privacy of customer data, and that a reasonable balance is struck as between a legitimate need for access to information (e.g. by law enforcement and intellectual property rights-holders) and that of protecting privacy. Many public comments received in response to the Working Group's Initial Report also highlighted the potential dangers of disclosing private information without cause, including the threat to the physical safety of certain groups of domain name registrants and privacy/proxy customers. The Working Group's final recommendations include a number of suggested principles and policies that aim to provide more concrete guidance than exists at present for privacy and proxy services, third party requesters of customer information, and domain name registrants in relation to topics such as the handling of customer notifications, information requests and domain name transfers.

The Working Group also received several comments concerning the lack of a detailed framework for the submission and confidential handling of disclosure requests from law enforcement authorities, including from the GAC's Public Safety Working Group. In its Initial Report, the Working Group sought community input on the question as to whether and how such a framework might be developed as well as on more specific questions such as whether it should be mandatory for accredited providers to comply with express requests from law enforcement authorities in the provider's jurisdiction not to notify a customer. Based on input received, the Working Group agreed that accredited privacy and proxy service providers should comply with express law enforcement requests not to notify a customer where this is required by applicable law. Providers would be free to voluntarily adopt more stringent standards or otherwise cooperate with law enforcement authorities. The Working Group's Final Report also contains a suggestion for certain minimum requirements that could be included if such a framework is to be developed during the implementation phase of the adopted PDP recommendations.

What significant materials did the Board review?

The Board reviewed the PDP Working Group's Final Report, the GNSO Council's Recommendations Report on the topic to the Board, the summary of public comments received in response to the public comment period that was opened following the GNSO Council's adoption of the recommendations contained in the Final Report, and GAC advice received on the topic, as provided in the Marrakech and Helsinki Communiqués.

What factors did the Board find to be significant?

The recommendations were developed following the GNSO Policy Development Process as set out in Annex A of the ICANN Bylaws and have received the unanimous support of the GNSO Council. As outlined in the ICANN Bylaws, the Council's supermajority support obligates the Board to adopt the recommendations unless, by a vote of more than two-thirds, the Board determines that the recommended policy is not in the best interests of the ICANN community or ICANN.

The Bylaws also allow for input from the GAC in relation to public policy concerns that might be raised if a proposed policy is adopted by the Board. The GAC had raised this possibility with respect to this PDP and the Board will continue to consider the advice that the GAC provided.

Are there positive or negative community impacts?

Developing a full accreditation program for privacy and proxy service providers will require significant resources and take a substantial period of time. It is likely that the interim specification contained in the 2013 RAA will need to be extended beyond its current expiration date of 1 January 2017, to allow for development of such a program.

Implementing the GNSO's recommendations will result in a more uniform set of standards for many aspects of privacy and proxy services, including more consistent procedures for the handling, processing and determination of third party requests by accredited providers, into which reasonable safeguards to protect consumer privacy can be incorporated and public policy concerns highlighted by the GAC addressed as far as possible. At present, there is no accreditation scheme in place for privacy and proxy services and no agreed community-developed set of best practices for the provision of such services. This PDP represents an attempt to develop a sound basis for the development and implementation of an accreditation framework by ICANN and is part of ICANN's on-going efforts to improve the Whois system, including implementing recommendations made previously by the Whois Review Team.

Nevertheless, as highlighted above, the implementation of all the recommendations from the PDP will be time and resource-intensive due to the scale of the project and the fact that this will be the first time ICANN has implemented such a program for this industry sector. While the RAA may serve as a useful reference point for this program, the Working Group's Final Report acknowledged that this may not be the most appropriate model for a number of reasons. Ensuring that the implementation planning addresses as fully as possible the public policy concerns that have been identified by the GAC, including possibly developing a disclosure framework for law enforcement authorities, is likely to form a substantial part of the implementation work.

The Working Group's Final Report also notes areas where additional work may be required, which could increase the community's workload in the near term. For example, the issue of privacy and proxy services in the context of domain name transfers will need to be addressed in the next review of the Inter-Registrar Transfer Policy.

Are there fiscal impacts or ramifications on ICANN (strategic plan, operating plan, budget); the community; and/or the public?

There may be fiscal impacts on ICANN associated with the creation of a new accreditation program specifically covering providers of privacy and proxy services. The implementation plan should take into account costs and timelines for implementation. As the current interim specification in the RAA applicable to such services is due to expire on 1 January 2017, consideration will also need to be given to extending its duration upon adoption of the PDP recommendations.

Are there any security, stability or resiliency issues relating to the DNS?

There are no security, stability or resiliency issues relating to the DNS that can be directly attributable to the implementation of the PDP recommendations. While the accreditation of privacy and proxy service providers is part of the overall effort at ICANN to improve the Whois system, it does not affect or change either the Whois protocol (including the rollout of the new RDAP) or the current features of the Whois system. The Working Group made its final recommendations with the understanding that implementation of its recommendations would be done in the context of any other policy or technical changes to the Whois system, which are outside the scope of this PDP.